Information Security Projects - Secure Real Time Multiplayer Game

JavaScript
1

Tell us what’s happening:
Hi, I tried developing the secure Real Time Multiplayer Game, and I created the game; everything works, but I didn’t pay too much attention to details as it was more of a test. However, some doubts arose while looking at the proposed solution. When doing a bit of reverse engineering, I noticed that the scores are created locally and then accepted by the server as valid. This, however, means that if someone makes a call to socket.emit(‘new-player’, mainPlayer) using the modified mainPlayer object, they could assign any value to the score, thereby preventing the true winner from ever winning. Initially, I chose not to create a player class on the client-side but rather directly on the server. I know that for a larger context, this approach may not be ideal, but apart from that, I wanted to hear an opinion about the code and whether there are any serious structural issues or if it’s fine. Thank you for your time, and sorry for my English :slight_smile:

Your code so far

Challenge: Information Security Projects - Secure Real Time Multiplayer Game

Link to the challenge:

2

hello and welcome to fcc forum :slight_smile:

  • i find your english is very good, good job :clap:
  • also it will be nice if you would also share “repl or any live” link for it

happy coding :slight_smile:

3

thanks here’s the live on replit :slight_smile: secure-real-time-multiplayer-game - Replit

4

Your solution is correct, all information about game state should be created and maintained on the server to prevent manipulation from client side. The client should not be able to affect the game in an invalid manner.

Be confident in your solution if you think you are right until proven otherwise, the proposed solution is just an example, it won’t always be correct or be the optimal solution.
The example doesn’t have to be correct because it is a live demo for you to see what your game should look like, it isn’t a suggested solution, you don’t necessarily have to follow it.

5

Your code looks good.
I have a few suggestions to improve things.

  1. You should limit the ‘playerMove’ event from the client through some mechanism on the server. I can change the client side code to spam that event in order to make the player move really fast, so this is one form of manipulation that needs to be prevented.
    Also, requestAnimationFrame(updatePosition) this depends on the refresh rate of the client display. If the client display is 60Hz, it will execute 60 times per second. But if another player has a lower refresh rate display, that player will move slower as it make less calls to the ‘playerMove’ event. So you really shouldn’t rely on it, or rely on it alone to control player movement.
    Window: requestAnimationFrame() method - Web APIs | MDN

  2. Line 47 of game.mjs
    if(Object.values(keys).some((elemento) => elemento === true) != 0)
    ‘!= 0’ can be confusing because the output of some() is boolean rather than an integer, if you want to make it clearer, use ‘=== true’.
    I would rather leave it without the comparison operator though, as the code works without it and i feel that it is as clear without the comparison operators.
    if(Object.values(keys).some(elemento => elemento))

6

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.